Data Protection Policy & Procedures Scoil Bhríde Lackagh Data Protection Policy Data Access Request Procedures (Appendix A) Data Breach Code of Practice



Download 133.08 Kb.
Page2/3
Date20.10.2016
Size133.08 Kb.
#5981
1   2   3

Categories of data: the school may hold some or all of the following information about creditors (some of whom are self-employed individuals):

  • name

  • address

  • contact details

  • PPS number

  • tax details

  • bank details and

  • amount paid.




  1. Purposes: This information is required for routine management and administration of the school’s financial affairs, including the payment of invoices, the compiling of annual financial accounts and complying with audits and investigations by the Revenue Commissioners.

(c) Security & Location: In a secure, locked filing cabinet that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access. Some records are manual records, kept in a personal file, while others are computer records held on school computers. All school computer records are maintained with strict security measures including password protection, adequate levels of encryption, NCTE School Firewall and regularly updated anti-virus software.


CCTV images/recordings
(a) Categories: CCTV is installed in some schools, externally i.e. perimeter walls/fencing as detailed in the CCTV Policy. These CCTV systems may record images of staff, students and members of the public who visit the premises.
(b) Purposes: Safety and security of staff, students and visitors and to safeguard school property and equipment.
(c) Location: Cameras are located externally as detailed in the CCTV Policy. Recording equipment is located in the Principal’s office.
(d) Security: Access to images/recordings is restricted to the principal & deputy principal of the school. Recordings are retained for 24 days. Images/recordings may be viewed or made available to An Garda Síochána pursuant to section 8 Data Protection Acts 1988 and 2003.
Examination results
(a) Categories: The school will hold data comprising examination results in respect of its students. These include class, mid-term, annual, continuous assessment and mock- examinations results.
(b) Purposes: The main purpose for which these examination results and other records are held is to monitor a student’s progress and to provide a sound basis for advising them and their parents or guardians about subject choices and levels. The data may also be aggregated for statistical/reporting purposes, such as to compile results tables. The data may be transferred to the Department of Education and Skills, the National Council for Curriculum and Assessment and such other similar bodies.

(c) Security & Location: In a secure, locked filing cabinet that only personnel who are authorised to use the data can access. Employees are required to maintain the confidentiality of any data to which they have access. Some records are manual records, kept in a personal file, while others are computer records held on a database, which is managed by an outsourced data processing company. This is common practice is the majority of schools in Ireland. ‘Aladdin’ is the name of the school’s current cloud provider; it processes data in accordance with the school’s instructions. It is contracted to take appropriate security measures as set down in The Data Protection Acts (Section 2 (1) (d)). All school computer records are maintained with strict security measures including password protection, adequate levels of encryption, NCTE School Firewall and regularly updated anti-virus software.



Other School Policies & Data Protection
Our school policies need to be consistent with one another, within the framework of the overall School Plan. Relevant school policies already in place or being developed or reviewed, shall be examined with reference to the data protection policy and any implications which it has for them shall be addressed.
The following policies may be among those considered:


  • Child Protection Policy

  • Anti-Bullying Policy

  • Code of Behaviour

  • Mobile Phone Code

  • Admissions/Enrolment Policy

  • CCTV Policy

  • Substance Use Policy

  • ICT Acceptable Usage Policy

  • SPHE/CSPE etc.



Data Subject Rights
Data in this school will be processed in line with the data subjects' rights.
Data subjects have a right to:
(a) Request access to any data held about them by a data controller

(b) Prevent the processing of their data for direct-marketing purposes

(c) Ask to have inaccurate data amended

(d) Prevent processing that is likely to cause damage or distress to themselves or anyone else.


Dealing with Data Access Requests


  1. Section 3 access request

Under Section 3 of the Data Protection Acts, an individual has the right to be informed whether the school holds data/information about them and to be given a description of the data together with details of the purposes for which their data is being kept. The individual must make this request in writing and the data controller will accede to the request within 21 days.


The right under Section 3 must be distinguished from the much broader right contained in Section 4, where individuals are entitled to a copy of their data.



  1. Section 4 access request

Individuals are entitled to a copy of their personal data on written request.



    • The individual is entitled to a copy of their personal data (subject to some exemptions and prohibitions set down in Section 5 of the Data Protection Act)

    • Request must be responded to within 40 days

    • Fee may apply but cannot exceed €6.35

    • Where a subsequent or similar request is made soon after a request has just been dealt with, it is at the discretion of the school as data controller to comply with the second request (no time limit but reasonable interval from the date of compliance with the last access request.) This will be determined on a case-by-case basis.

    • No personal data can be supplied relating to another individual unless that third party has consented to the disclosure of their data to the applicant. Data will be carefully redacted to omit references to any other individual and only where it has not been possible to redact the data to ensure that the third party is not identifiable would the school refuse to furnish the data to the applicant.


Providing Information over the Phone

In our school, any employee dealing with telephone enquiries should be careful about disclosing any personal information held by the school over the phone. In particular the employee should:




  • Check the identity of the caller to ensure that information is only given to a person who is entitled to that information

  • Suggest that the caller put their request in writing if the employee is not sure about the identity of the caller and in circumstances where the identity of the caller cannot be verified

  • Refer the request to the principal for assistance in difficult situations. No employee should feel forced into disclosing personal information.


Sharing student data with the Department of Education
The DES developed an electronic individualised database of primary school children in the school year 2014/2015 in order to monitor the progress of students through the primary system and to aid the development of education policy and forward planning. It is called POD (Primary Online Database). Schools are asked by the DES to provide data including a child’s PPS number, name, address, DOB and nationality. Two optional pieces of information about religion and ethnic or cultural background are also sought. These are considered sensitive personal data under Data Protection legislation and require written consent from a parent/guardian for the data to be transferred to the Department. All data on POD is stored on the Revenue Commissioners servers, with the same security protections in place for Revenue records. For more information of POD and the fair processing of student data see DES Circular 0017/2014
Implementation, Roles & Responsibilities
The Board of Management is the data controller and the Principal will be assigned the role of co-ordinating implementation of this Data Protection Policy and for ensuring that staff who handle or have access to Personal Data are familiar with their data protection responsibilities.

The following personnel have responsibility for implementing the Data Protection Policy:


Name Responsibility

Board of Management: Data Controller

Principal: Implementation of Policy

Teaching personnel: Awareness of responsibilities

Administrative personnel: Security, confidentiality

IT personnel: Security, encryption, confidentiality



Ratification & Communication
When the Data Protection Policy has been ratified by the board of management, it becomes the school's agreed Data Protection Policy. It should then be dated and circulated within the school community. The entire staff must be familiar with the Data Protection Policy and ready to put it into practice in accordance with the specified implementation arrangements.  It is important that all concerned are made aware of any changes implied in recording information on students, staff and others in the school community.


Review

The policy will be reviewed and evaluated at certain pre-determined times and as necessary. On-going review and evaluation should take cognisance of changing information or guidelines (e.g. from the Data Protection Commissioner, Department of Education and Skills or the NEWB), legislation and feedback from parents/guardians, students, school staff and others. The policy should be revised as necessary in the light of such review and evaluation and within the framework of school planning.



Signed: ……………………………………………………. Signed: ……………………………………

Chairperson Board of Management Principal
Date: ………………………………

Appendix A

Data Access Request Procedures

To make an access request to Scoil Bhríde Lackagh, you as a data subject must:



  1. Apply in writing requesting access to your data under section 4 Data Protection Acts. In the case of primary schools, correspondence should be addressed to the Chairperson of the Board of Management.



  1. You will be provided with a form which will assist the school in locating all relevant information that is held subject to the exceptions and prohibitions outlined in Appendix A. The school reserves the right to request official proof of identity (e.g. photographic identification such as a passport or driver’s licence) where there is any doubt on the issue of identification.




  1. On receipt of the access request form, a co-ordinator will be appointed to check the validity of your access request and to check that sufficient information to locate the data requested has been supplied (particularly if CCTV footage/images are to be searched).




  • In the case of primary schools, the co-ordinator is the chairperson of the board of management. It may be necessary for the co-ordinator to contact you in the event that further details are required with a view to processing your access request.




  1. The co-ordinator will log the date of receipt of the valid request and keep a note of all steps taken to locate and collate the requested data.




  1. The co-ordinator will ensure that all relevant manual files (held within a “relevant filing system”) and computers are checked for the data in respect of which the access request is made.




  1. The co-ordinator will ensure that the information is supplied promptly and within the advised timeframes in items 7, 8 and 9 as appropriate.




  1. Where a request is made under Section 3 of the Data Protection Acts, the following information will be supplied: (i) what the school holds by way of personal information about you (or in the case of a request under section 3 made by a parent/guardian of a student aged under 18 years, then the personal information held about that student) and (ii) a description of the data together with details of the purposes for which his/her data is being kept will be provided. Actual copies of your personal files (or the personal files relating to the student) will not be supplied. No personal data can be supplied relating to another individual. A response to your request will be provided within 21 days of receipt of the access request form and no fee will apply.




  1. Where a request is made under Section 4 of the Data Protection Acts, the following information will be supplied within 40 days and an administration fee of €6.35 will apply. The individual is entitled to a copy of all personal data, i.e.:




  • A copy of the data which is kept about him/her (unless one of the exemptions or prohibitions under the Data Protection Acts applies, in which case the individual will be notified of this and informed of their right to make a complaint to the Data Protection Commissioner)

  • Be advised of the purpose/s for processing his/her data

  • Be advised of the identity (or the categories) of those to whom the data is disclosed

  • Be advised of the source of the data, unless it is contrary to public interest

  • Where the processing is by automated means (e.g. credit scoring in financial institutions where a computer program makes the “decision” as to whether a loan should be made to an individual based on his/her credit rating), know the logic involved in automated decisions.




  1. Where a request is made with respect to examination results an increased time limit of 60 days from the date of the first publication of the results or from the date of the access request, whichever is the later will apply.




  1. Before supplying the information requested to you as data subject (or where the access request is made on behalf of a student aged under 18 years, information relating to the student), the co-ordinator will check each item of data to establish:




  • If any of the exemptions or restrictions set out under the Data Protection Acts apply, which would result in that item of data not being released, or

  • where the data is “health data”, whether the obligation to consult with the data subject’s medical practitioner applies, or

  • where the data is “social work data”, whether the prohibition on release applies.




  1. If data relating to a third party is involved, it will not be disclosed without the consent of that third party or alternatively the data will be anonymised in order to conceal the identity of the third party. Where it is not possible to anonymise the data to ensure that the third party is not identified, then that item of data may not be released.




  1. Where a school may be unsure as to what information to disclose, the school reserves the right to seek legal advice.




  1. The co-ordinator will ensure that the information is provided in an intelligible form (e.g. codes explained) or will provide an explanation.




  1. Number the documents supplied.




  1. Have the response “signed-off” by an appropriate person. In the case of primary

schools this is the chairperson of the board of management


  1. The school will respond to your access request within the advised timeframes contingent on the type of request made.




  1. The school reserves the right to supply personal information to an individual in an electronic format e.g. on tape, USB, CD etc.




  1. Where a subsequent or similar access request is made after the first request has been complied with, the school has discretion as to what constitutes a reasonable interval between access requests and this will be assessed on a case-by case basis.




  1. Where you as an individual data subject may seek to rectify incorrect information maintained by the school, please notify the school and a form will be supplied to you for this purpose. You should however note that the right to rectify or delete personal data is not absolute. You have the right to make a complaint to the Data Protection Commissioner about a refusal. Where the school declines to rectify or delete the personal data as you have instructed, the school may propose to supplement your personal record, pursuant to section 6(1)(b) Data Protection Acts.




  1. In circumstances where your access request is refused, Scoil Bhríde Lackagh will write to you explaining the reasons for the refusal and the administration fee, if provided, will be returned. In such circumstances, you have the right to make a complaint to the Office of the Data Protection Commissioner www.dataprotection.ie. Similarly, the administration access fee will be refunded to you if the school/ETB has to rectify, supplement or erase your personal data.




  1. Where requests are made for CCTV footage, an application must be made in writing and the timeframe for response is within 40 days. All necessary information such as the date, time and location of the recording should be given to the school to assist it in dealing with your request. Where the image is of such poor quality as not to clearly identify an individual, that image may not be considered to be personal data. In providing a copy of personal data, the school may provide the materials in the form of a still/series of still pictures, a tape, disk, USB, with relevant images. Other people's images will be obscured before the data is released. If other people’s images cannot be obscured, then the images/recordings may not be released.



Important note to parents making access requests on behalf of their child:
Where a parent/guardian makes an access request on behalf of their child (a student aged under 18 years), the right of access is a right of the data subject (i.e. it is the student’s right). In such a case, the access materials will be sent to the child, not to the parent who requested them. This means that the access request documentation will be sent to the address at which the child is registered on the school’s records and will be addressed to the child. The documentation will not be sent to or addressed to the parent/guardian who made the request. Where a parent/guardian is unhappy with this arrangement, the parent/guardian is invited to make an application to court under section 11 of the Guardianship of Infants Act 1964. This provision enables the court (on application by a guardian) to make a direction on any question affecting the welfare of the child. Where a court issues an order stating that a school should make certain information available to a parent/guardian, a copy of the order should be given to the school by the parent/guardian and the school can release the data on foot of the court order.
Important note to students making access requests:

Where a student (aged under 18 years) makes an access request, the school may inform the student that:




  1. Where they make an access request, their parents will be informed that they have done so and

  2. A complete copy of the access request materials being furnished to the data subject by the school will also be furnished to the student’s parent/guardian.

This is provided for in the school’s Data Protection Policy. The right of access under the Data Protection Acts is the right of the data subject. However, there may be some data held by the school which may be of a sensitive nature and the school will have regard to the following guidance issued by the Office of the Data Protection Commissioner in relation to releasing such data:


- A student aged eighteen years or older (and not suffering under any medical disability or medical condition which may impair his or her capacity to give consent) may give consent themselves.
- If a student aged eighteen years or older has some disability or medical condition which may impair his or her ability to understand the information, then parental/guardian consent will be sought by the school before releasing the data to the student.
- A student aged from twelve up to and including seventeen can be given access to their personal data, depending on the age of the student and the nature of the record, i.e. it is suggested that:


  • If the information is ordinary, routine or non-controversial (e.g. a record of a test result) the student could readily be given access




  • If the information is of a sensitive nature, it would be prudent to seek parental/guardian consent before releasing the data to the student




  • If the information would be likely to be harmful to the individual concerned, parental/guardian consent should be sought before releasing the data to the student.

- In the case of students under the age of twelve, an access request may be made by their parent or guardian on the student’s behalf. However, the school must note that the right of access is a right of the data subject themselves (i.e. it is the right of the student). Therefore, access documentation should be addressed to the child at his/her address which is registered with the school as being his/her home address. It should not be addressed or sent to the parent who made the request. For further information, see “Important Note to Parents Making Access Requests on Behalf of their Child” below.


Important note to individuals making an access request:

On making an access request, any individual (subject to the restrictions outlined above) about whom a school keeps Personal Data, is entitled to:



  • a copy of the data which is kept about him/her (unless one of the exemptions or prohibitions under the Data Protection Acts apply, in which case the individual will be notified of this and informed of their right to make a complaint to the Data Protection Commissioner)

  • know the purpose/s for processing his/her data

  • know the identity (or the categories) of those to whom the data is disclosed

  • know the source of the data, unless it is contrary to public interest


Implementation & Review

The Data Access Request Procedures of Scoil Bhríde Lackagh will be implemented from March 2016. They will be reviewed and evaluated when necessary by the Board of Management, particularly if affected by changing information or guidelines (e.g. from the Data Protection Commissioner, An Garda Síochána, Department of Education and Skills, national management bodies, legislation and feedback from parents/guardians, students, staff and others. 


The date from which these procedures apply is the date of adoption by the Board of Management. Implementation of the policy will be monitored by the Principal.


Download 133.08 Kb.

Share with your friends:
1   2   3



The database is protected by copyright ©ininet.org 2024
send message
    Main page
best interest
staff member
policy applies
necessary amount
data relating
efficient handling